.github/workflows/ci.yml

@@ -1,71 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup .NET
-        uses: actions/setup-dotnet@v4
-        with:
-          dotnet-version: '10.0.x'
-
-      - name: Cache NuGet packages
-        uses: actions/cache@v4
-        with:
-          path: ~/.nuget/packages
-          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
-          restore-keys: |
-            ${{ runner.os }}-nuget-
-
-      - name: Cache Docker image (postgres)
-        id: docker-cache
-        uses: actions/cache@v4
-        with:
-          path: /tmp/docker-postgres.tar
-          key: ${{ runner.os }}-docker-postgres-18.1
-
-      - name: Load cached postgres image or pull
-        run: |
-          if [ -f /tmp/docker-postgres.tar ]; then
-            docker load -i /tmp/docker-postgres.tar
-          else
-            docker pull postgres:18.1
-            docker save postgres:18.1 -o /tmp/docker-postgres.tar
-          fi
-
-      - name: Restore dependencies
-        run: dotnet restore
-
-      - name: Build
-        run: dotnet build --no-restore --configuration Release
-
-      - name: Test with coverage
-        run: |
-          dotnet test --no-build --configuration Release \
-            --collect:"XPlat Code Coverage" \
-            --results-directory ./coverage \
-            -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=cobertura
-
-      - name: Code Coverage Report
-        uses: irongut/CodeCoverageSummary@v1.3.0
-        with:
-          filename: coverage/**/coverage.cobertura.xml
-          badge: true
-          format: markdown
-          output: both
-
-      - name: Upload coverage artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: coverage-report
-          path: ./coverage/**/coverage.cobertura.xml
-          retention-days: 7

IdentityShroud.Api.Tests/Apis/ClientApiTests.cs

@@ -1,179 +0,0 @@
-using System.Net;
-using System.Net.Http.Json;
-using IdentityShroud.Core;
-using IdentityShroud.Core.Model;
-using IdentityShroud.Core.Tests.Fixtures;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.EntityFrameworkCore;
-using Microsoft.Extensions.DependencyInjection;
-
-namespace IdentityShroud.Api.Tests.Apis;
-
-public class ClientApiTests : IClassFixture<ApplicationFactory>
-{
-    private readonly ApplicationFactory _factory;
-
-    public ClientApiTests(ApplicationFactory factory)
-    {
-        _factory = factory;
-
-        using var scope = _factory.Services.CreateScope();
-        var db = scope.ServiceProvider.GetRequiredService<Db>();
-        if (!db.Database.EnsureCreated())
-        {
-            db.Database.ExecuteSqlRaw("TRUNCATE realm CASCADE;");
-        }
-    }
-
-    [Theory]
-    [InlineData(null, false, "ClientId")]
-    [InlineData("", false, "ClientId")]
-    [InlineData("my-client", true, "")]
-    public async Task Create_Validation(string? clientId, bool succeeds, string fieldName)
-    {
-        // setup
-        Realm realm = await CreateRealmAsync("test-realm", "Test Realm");
-
-        var client = _factory.CreateClient();
-
-        // act
-        var response = await client.PostAsync(
-            $"/api/v1/realms/{realm.Id}/clients",
-            JsonContent.Create(new { ClientId = clientId }),
-            TestContext.Current.CancellationToken);
-
-#if DEBUG
-        string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
-#endif
-
-        if (succeeds)
-        {
-            Assert.Equal(HttpStatusCode.Created, response.StatusCode);
-        }
-        else
-        {
-            Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
-            var problemDetails =
-                await response.Content.ReadFromJsonAsync<ValidationProblemDetails>(
-                    TestContext.Current.CancellationToken);
-
-            Assert.Contains(problemDetails!.Errors, e => e.Key == fieldName);
-        }
-    }
-
-    [Fact]
-    public async Task Create_Success_ReturnsCreatedWithLocation()
-    {
-        // setup
-        Realm realm = await CreateRealmAsync("create-realm", "Create Realm");
-
-        var client = _factory.CreateClient();
-
-        // act
-        var response = await client.PostAsync(
-            $"/api/v1/realms/{realm.Id}/clients",
-            JsonContent.Create(new { ClientId = "new-client", Name = "New Client" }),
-            TestContext.Current.CancellationToken);
-
-#if DEBUG
-        string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
-#endif
-
-        // verify
-        Assert.Equal(HttpStatusCode.Created, response.StatusCode);
-
-        var body = await response.Content.ReadFromJsonAsync<ClientCreateReponse>(
-            TestContext.Current.CancellationToken);
-
-        Assert.NotNull(body);
-        Assert.Equal("new-client", body.ClientId);
-        Assert.True(body.Id > 0);
-    }
-
-    [Fact]
-    public async Task Create_UnknownRealm_ReturnsNotFound()
-    {
-        var client = _factory.CreateClient();
-
-        var response = await client.PostAsync(
-            $"/api/v1/realms/{Guid.NewGuid()}/clients",
-            JsonContent.Create(new { ClientId = "some-client" }),
-            TestContext.Current.CancellationToken);
-
-        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
-    }
-
-    [Fact]
-    public async Task Get_Success()
-    {
-        // setup
-        Realm realm = await CreateRealmAsync("get-realm", "Get Realm");
-        Client dbClient = await CreateClientAsync(realm, "get-client", "Get Client");
-
-        var httpClient = _factory.CreateClient();
-
-        // act
-        var response = await httpClient.GetAsync(
-            $"/api/v1/realms/{realm.Id}/clients/{dbClient.Id}",
-            TestContext.Current.CancellationToken);
-
-#if DEBUG
-        string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
-#endif
-
-        // verify
-        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
-
-        var body = await response.Content.ReadFromJsonAsync<ClientRepresentation>(
-            TestContext.Current.CancellationToken);
-
-        Assert.NotNull(body);
-        Assert.Equal(dbClient.Id, body.Id);
-        Assert.Equal("get-client", body.ClientId);
-        Assert.Equal("Get Client", body.Name);
-        Assert.Equal(realm.Id, body.RealmId);
-    }
-
-    [Fact]
-    public async Task Get_UnknownClient_ReturnsNotFound()
-    {
-        // setup
-        Realm realm = await CreateRealmAsync("notfound-realm", "NotFound Realm");
-
-        var httpClient = _factory.CreateClient();
-
-        // act
-        var response = await httpClient.GetAsync(
-            $"/api/v1/realms/{realm.Id}/clients/99999",
-            TestContext.Current.CancellationToken);
-
-        // verify
-        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
-    }
-
-    private async Task<Realm> CreateRealmAsync(string slug, string name)
-    {
-        using var scope = _factory.Services.CreateScope();
-        var db = scope.ServiceProvider.GetRequiredService<Db>();
-        var realm = new Realm { Slug = slug, Name = name };
-        db.Realms.Add(realm);
-        await db.SaveChangesAsync(TestContext.Current.CancellationToken);
-        return realm;
-    }
-
-    private async Task<Client> CreateClientAsync(Realm realm, string clientId, string? name = null)
-    {
-        using var scope = _factory.Services.CreateScope();
-        var db = scope.ServiceProvider.GetRequiredService<Db>();
-        var client = new Client
-        {
-            RealmId = realm.Id,
-            ClientId = clientId,
-            Name = name,
-            CreatedAt = DateTime.UtcNow,
-        };
-        db.Clients.Add(client);
-        await db.SaveChangesAsync(TestContext.Current.CancellationToken);
-        return client;
-    }
-}

IdentityShroud.Api.Tests/Apis/RealmApisTests.cs

@@ -114,7 +114,7 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
     {
         // act
         var client = _factory.CreateClient();
-        var response = await client.GetAsync($"/realms/{slug}/.well-known/openid-configuration",
+        var response = await client.GetAsync("/realms/bar/.well-known/openid-configuration",
             TestContext.Current.CancellationToken);
         
         // verify
@@ -130,13 +130,11 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
         using var rsa = RSA.Create(2048);
         RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
 
-        RealmKey realmKey = new()
+        RealmKey realmKey = new(
-        {
+            Guid.NewGuid(),
-            Id = Guid.NewGuid(),
+            "RSA",
-            KeyType = "RSA",
+            encryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
-            Key = encryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
+            DateTime.UtcNow);
-            CreatedAt = DateTime.UtcNow,
-        };
 
         await ScopedContextAsync(async db =>
         {

IdentityShroud.Api.Tests/Fixtures/ApplicationFactory.cs

@@ -1,6 +1,11 @@
+using IdentityShroud.Core.Services;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
+using Microsoft.EntityFrameworkCore.Infrastructure;
 using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.VisualStudio.TestPlatform.TestHost;
+using Npgsql;
 using Testcontainers.PostgreSql;
 
 namespace IdentityShroud.Core.Tests.Fixtures;
@@ -28,10 +33,7 @@ public class ApplicationFactory : WebApplicationFactory<Program>, IAsyncLifetime
                 new Dictionary<string, string?>
                 {
                     ["Db:ConnectionString"] = _postgresqlServer.GetConnectionString(),
-                    ["secrets:master:0:Id"] = "key1",
+                    ["Encryption:Master"] = "GVd07qW0frRX9quPX/X62L88BeRR7+IzgRJHtG7ZzHw=",
-                    ["secrets:master:0:Active"] = "true",
-                    ["secrets:master:0:Algorithm"] = "AES",
-                    ["secrets:master:0:Key"] = "GVd07qW0frRX9quPX/X62L88BeRR7+IzgRJHtG7ZzHw=",
                 });
         });
         

IdentityShroud.Api.Tests/Mappers/KeyMapperTests.cs

@@ -0,0 +1,17 @@
+using IdentityShroud.Api.Mappers;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Messages;
+using IdentityShroud.TestUtils.Substitutes;
+using Microsoft.AspNetCore.WebUtilities;
+
+namespace IdentityShroud.Api.Tests.Mappers;
+
+// public class KeyMapperTests
+// {
+//     private readonly IEncryptionService _encryptionService = EncryptionServiceSubstitute.CreatePassthrough();
+//
+//     [Fact]
+//     public void Test()
+//     {
+//     }
+// }

IdentityShroud.Api.Tests/Mappers/KeyServiceTests.cs

@@ -21,12 +21,12 @@ public class KeyServiceTests
 
         RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
         
-        RealmKey realmKey = new()
+        RealmKey realmKey = new(
+            new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
+            "RSA",
+            rsa.ExportPkcs8PrivateKey(),
+            DateTime.UtcNow)
         {
-            Id = new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
-            KeyType = "RSA",
-            Key = new("", rsa.ExportPkcs8PrivateKey()),
-            CreatedAt = DateTime.UtcNow,
             Priority = 10,
         };
         
@@ -34,7 +34,6 @@ public class KeyServiceTests
         KeyService sut = new(_encryptionService, new KeyProviderFactory(), new ClockService());
         var jwk = sut.CreateJsonWebKey(realmKey);
 
-        Assert.NotNull(jwk);
         Assert.Equal("RSA", jwk.KeyType);
         Assert.Equal(realmKey.Id.ToString(), jwk.KeyId);
         Assert.Equal("sig", jwk.Use);

IdentityShroud.Api/Apis/ClientApi.cs

@@ -1,14 +1,14 @@
 using FluentResults;
-using IdentityShroud.Api.Mappers;
 using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Messages.Realm;
 using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Services;
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc;
 
 namespace IdentityShroud.Api;
 
 
-
 public record ClientCreateReponse(int Id, string ClientId);
 
 /// <summary>
@@ -34,18 +34,13 @@ public static class ClientApi
             .WithName(ClientGetRouteName);
     }
 
-    private static Ok<ClientRepresentation> ClientGet(
+    private static Task ClientGet(HttpContext context)
-        Guid realmId,
-        int clientId,
-        HttpContext context)
     {
-        Client client = (Client)context.Items["ClientEntity"]!;
+        throw new NotImplementedException();
-        return TypedResults.Ok(new ClientMapper().ToDto(client));
     }
 
     private static async Task<Results<CreatedAtRoute<ClientCreateReponse>, InternalServerError>>
         ClientCreate(
-            Guid realmId,
             ClientCreateRequest request, 
             [FromServices] IClientService service,
             HttpContext context,
@@ -69,5 +64,6 @@ public static class ClientApi
                 ["realmId"] = realm.Id,
                 ["clientId"] = client.Id, 
             });
+        throw new NotImplementedException();
     }
 }

IdentityShroud.Api/Apis/Dto/ClientRepresentation.cs

@@ -1,16 +0,0 @@
-namespace IdentityShroud.Api;
-
-public record ClientRepresentation
-{
-    public int Id { get; set; }
-    public Guid RealmId { get; set; }
-    public required string ClientId { get; set; }
-    public string? Name { get; set; }
-    public string? Description { get; set; }
-    
-    public string? SignatureAlgorithm { get; set; }
-    
-    public bool AllowClientCredentialsFlow { get; set; } = false;
-    
-    public required DateTime CreatedAt { get; set; }
-}

IdentityShroud.Api/Apis/Filters/ClientIdValidationFilter.cs

@@ -7,9 +7,8 @@ public class ClientIdValidationFilter(IClientService clientService) : IEndpointF
 {
     public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
     {
-        Guid realmId = context.Arguments.OfType<Guid>().First();
         int id = context.Arguments.OfType<int>().First();
-        Client? client = await clientService.FindById(realmId, id, context.HttpContext.RequestAborted);
+        Client? client = await clientService.FindById(id, context.HttpContext.RequestAborted);
         if (client is null)
         {
             return Results.NotFound();

IdentityShroud.Api/Apis/Filters/RealmSlugValidationFilter.cs

@@ -1,5 +1,6 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Services;
 
 namespace IdentityShroud.Api;
 

IdentityShroud.Api/Apis/Mappers/ClientMapper.cs

@@ -1,11 +0,0 @@
-using IdentityShroud.Core.Model;
-using Riok.Mapperly.Abstractions;
-
-namespace IdentityShroud.Api.Mappers;
-
-[Mapper]
-public partial class ClientMapper
-{
-    [MapperIgnoreSource(nameof(Client.Secrets))]
-    public partial ClientRepresentation ToDto(Client client);
-}

IdentityShroud.Api/Apis/Mappers/KeyMapper.cs

@@ -1,6 +1,9 @@
+using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Messages;
 using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security;
+using Microsoft.AspNetCore.WebUtilities;
 
 namespace IdentityShroud.Api.Mappers;
 

IdentityShroud.Api/Apis/Validation/ClientCreateRequestValidator.cs

@@ -1,22 +0,0 @@
-using FluentValidation;
-using IdentityShroud.Core.Contracts;
-
-namespace IdentityShroud.Api;
-
-public class ClientCreateRequestValidator : AbstractValidator<ClientCreateRequest>
-{
-    // most of standard ascii minus the control characters and space 
-    private const string ClientIdPattern = "^[\x21-\x7E]+";
-
-    private string[] AllowedAlgorithms = [ "RS256", "ES256" ];
-    
-    public ClientCreateRequestValidator()
-    {
-        RuleFor(e => e.ClientId).NotEmpty().MaximumLength(40).Matches(ClientIdPattern);
-        RuleFor(e => e.Name).MaximumLength(80);
-        RuleFor(e => e.Description).MaximumLength(2048);
-        RuleFor(e => e.SignatureAlgorithm)
-            .Must(v => v is null || AllowedAlgorithms.Contains(v))
-            .WithMessage($"SignatureAlgorithm must be one of {string.Join(", ", AllowedAlgorithms)} or null");
-    }
-}

IdentityShroud.Api/AppJsonSerializerContext.cs

@@ -1,6 +1,7 @@
 using System.Text.Json.Serialization;
 using IdentityShroud.Core.Messages;
 using IdentityShroud.Core.Messages.Realm;
+using Microsoft.Extensions.Diagnostics.HealthChecks;
 
 [JsonSerializable(typeof(OpenIdConfiguration))]
 [JsonSerializable(typeof(RealmCreateRequest))]

IdentityShroud.Api/IdentityShroud.Api.csproj

@@ -17,7 +17,7 @@
     <ItemGroup>
         <PackageReference Include="FluentValidation.DependencyInjectionExtensions" Version="12.1.1" />
         <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.0"/>
-        <PackageReference Include="Riok.Mapperly" Version="4.3.1" />
+        <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
         <PackageReference Include="Serilog" Version="4.3.0" />
         <PackageReference Include="Serilog.AspNetCore" Version="10.0.0" />
         <PackageReference Include="Serilog.Expressions" Version="5.0.0" />

IdentityShroud.Core.Tests/Fixtures/DbFixture.cs

@@ -1,4 +1,5 @@
-using Microsoft.Extensions.Logging.Abstractions;
+using DotNet.Testcontainers.Containers;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using Npgsql;
 using Testcontainers.PostgreSql;

IdentityShroud.Core.Tests/IdentityShroud.Core.Tests.csproj

@@ -30,4 +30,8 @@
       <ProjectReference Include="..\IdentityShroud.TestUtils\IdentityShroud.TestUtils.csproj" />
     </ItemGroup>
 
+    <ItemGroup>
+      <Folder Include="Model\" />
+    </ItemGroup>
+
 </Project>

IdentityShroud.Core.Tests/JwtSignatureGeneratorTests.cs

@@ -72,8 +72,8 @@ public class JwtSignatureGeneratorTests
         var rsa = RSA.Create();
         var parameters = new RSAParameters
         {
-            Modulus = WebEncoders.Base64UrlDecode(jwk.Modulus!),
+            Modulus = WebEncoders.Base64UrlDecode(jwk.Modulus),
-            Exponent = WebEncoders.Base64UrlDecode(jwk.Exponent!)
+            Exponent = WebEncoders.Base64UrlDecode(jwk.Exponent)
         };
         
         rsa.ImportParameters(parameters);

IdentityShroud.Core.Tests/Security/AesGcmHelperTests.cs

@@ -0,0 +1,21 @@
+using System.Security.Cryptography;
+using System.Text;
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Tests.Security;
+
+public class AesGcmHelperTests
+{
+    [Fact]
+    public void EncryptDecryptCycleWorks()
+    {
+        string input = "Hello, world!";
+
+        var encryptionKey = RandomNumberGenerator.GetBytes(32);
+
+        var cypher = AesGcmHelper.EncryptAesGcm(Encoding.UTF8.GetBytes(input), encryptionKey);
+        var output = AesGcmHelper.DecryptAesGcm(cypher, encryptionKey);
+        
+        Assert.Equal(input, Encoding.UTF8.GetString(output));
+    }
+}

IdentityShroud.Core.Tests/Security/ConfigurationSecretProviderTests.cs

@@ -1,61 +0,0 @@
-using System.Text;
-using IdentityShroud.Core.Security;
-using Microsoft.Extensions.Configuration;
-
-namespace IdentityShroud.Core.Tests.Security;
-
-public class ConfigurationSecretProviderTests
-{
-    private static IConfiguration BuildConfigFromJson(string json)
-    {
-        // Convert the JSON string into a stream that the config builder can read.
-        var jsonBytes = Encoding.UTF8.GetBytes(json);
-        using var stream = new MemoryStream(jsonBytes);
-
-        // Build the configuration just like the real app does, but from the stream.
-        var config = new ConfigurationBuilder()
-            .AddJsonStream(stream)   // <-- reads from the in‑memory JSON
-            .Build();
-
-        return config;
-    }
-
-    [Fact]
-    public void Test()
-    {
-        string jsonConfig = """
-            {
-                "secrets": {
-                    "master": [
-                        {
-                            "Id": "first",
-                            "Active": true,
-                            "Algorithm": "AES",
-                            "Key": "yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="
-                        },
-                        {
-                            "Id": "second",
-                            "Active": false,
-                            "Algorithm": "AES",
-                            "Key": "YSWK6vTJXCJOGLpCo+TtZ6anKNzvA1VT2xXLHbmq4M0="
-                        }
-                    ]    
-                }
-            }
-            """;
-        
-
-        ConfigurationSecretProvider sut = new(BuildConfigFromJson(jsonConfig));
-
-        var keys = sut.GetKeys("master");
-
-        Assert.Equal(2, keys.Length);
-        var active = keys.Single(k => k.Active);
-        Assert.Equal("first", active.Id);
-        Assert.Equal("AES", active.Algorithm);
-        Assert.Equal(Convert.FromBase64String("yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="), active.Key);
-
-        var inactive = keys.Single(k => !k.Active);
-        Assert.Equal("second", inactive.Id);
-    }
-}

IdentityShroud.Core.Tests/Services/ClientServiceTests.cs

@@ -108,7 +108,7 @@ public class ClientServiceTests : IClassFixture<DbFixture>
         await using var actContext = _dbFixture.CreateDbContext();
         // Act
         ClientService sut = new(actContext, _encryptionService, _clock);
-        Client? result = await sut.GetByClientId(_realmId, clientId, TestContext.Current.CancellationToken);
+        Client? result = await sut.GetByClientId(clientId, TestContext.Current.CancellationToken);
 
         // Verify
         if (shouldFind)
@@ -143,7 +143,7 @@ public class ClientServiceTests : IClassFixture<DbFixture>
         await using var actContext = _dbFixture.CreateDbContext();
         // Act
         ClientService sut = new(actContext, _encryptionService, _clock);
-        Client? result = await sut.FindById(_realmId, searchId, TestContext.Current.CancellationToken);
+        Client? result = await sut.FindById(searchId, TestContext.Current.CancellationToken);
 
         // Verify
         if (shouldFind)

IdentityShroud.Core.Tests/Services/EncryptionServiceTests.cs

@@ -1,3 +1,4 @@
+using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Services;
 
@@ -8,139 +9,18 @@ public class EncryptionServiceTests
     [Fact]
     public void RoundtripWorks()
     {
-        // Note this code will tend to only test the latest verion.
-
         // setup
-        byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
+        string key = Convert.ToBase64String(RandomNumberGenerator.GetBytes(32));
         var secretProvider = Substitute.For<ISecretProvider>();
-        EncryptionKey[] keys =
+        secretProvider.GetSecret("Master").Returns(key);
-        [
-            new EncryptionKey("1", true, "AES", keyValue)
-        ];
-        secretProvider.GetKeys("master").Returns(keys);
             
-            
+        EncryptionService sut = new(secretProvider);
-        ReadOnlySpan<byte> input = "Hello, World!"u8;
+        byte[] input = RandomNumberGenerator.GetBytes(16);
         
         // act
-        EncryptionService sut = new(secretProvider);
+        var cipher = sut.Encrypt(input);
-        EncryptedValue cipher = sut.Encrypt(input.ToArray());
+        var result = sut.Decrypt(cipher);
-        byte[] result = sut.Decrypt(cipher);
 
-        // verify
         Assert.Equal(input, result);
     }
-
-    [Fact]
-    public void DecodeV1_Success()
-    {
-        // When introducing a new version we need version specific tests to 
-        // make sure decoding of legacy data still works.
-        
-        // setup
-        byte[] cipher =
-        [
-            1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
-            193, 74, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
-        ];
-        EncryptedValue secret = new("kid", cipher);
-        
-        byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
-        var secretProvider = Substitute.For<ISecretProvider>();
-        EncryptionKey[] keys =
-        [
-            new EncryptionKey("kid", true, "AES", keyValue)
-        ];
-        secretProvider.GetKeys("master").Returns(keys);
-
-        // act
-        EncryptionService sut = new(secretProvider);
-        byte[] result = sut.Decrypt(secret);
-
-        // verify
-        Assert.Equal("Hello, World!"u8, result);
-    }
-
-    [Fact]
-    public void DetectsCorruptInput()
-    {
-        // When introducing a new version we need version specific tests to 
-        // make sure decoding of legacy data still works.
-        
-        // setup
-        byte[] cipher = // NOTE INCORRECT CIPHER DO NOT USE IN OTHER TESTS
-        [
-            1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
-            193, 75, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
-        ];
-        EncryptedValue secret = new("kid", cipher);
-        
-        byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
-        var secretProvider = Substitute.For<ISecretProvider>();
-        EncryptionKey[] keys =
-        [
-            new EncryptionKey("kid", true, "AES", keyValue)
-        ];
-        secretProvider.GetKeys("master").Returns(keys);
-
-        // act
-        EncryptionService sut = new(secretProvider);
-        Assert.Throws<InvalidOperationException>(
-            () => sut.Decrypt(secret),
-            ex => ex.Message.Contains("Decryption failed") ? null : "Expected Decryption failed in message");
-    }
-
-    [Fact]
-    public void DecodeSelectsRightKey()
-    {
-        // The key is marked inactive also it is the second key
-        
-        // setup
-        byte[] cipher =
-        [
-            1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
-            193, 74, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
-        ];
-        EncryptedValue secret = new("1", cipher);
-        
-        byte[] keyValue1 = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
-        byte[] keyValue2 = Convert.FromBase64String("Dat1RwRvuLX3wdKMMP4NwHdBl8tJJsKfp01qikyo8aw=");
-        var secretProvider = Substitute.For<ISecretProvider>();
-        EncryptionKey[] keys =
-        [
-            new EncryptionKey("2", true, "AES", keyValue2),
-            new EncryptionKey("1", false, "AES", keyValue1),
-        ];
-        secretProvider.GetKeys("master").Returns(keys);
-
-        // act
-        EncryptionService sut = new(secretProvider);
-        byte[] result = sut.Decrypt(secret);
-
-        // verify
-        Assert.Equal("Hello, World!"u8, result);
-    }
-    
-    [Fact]
-    public void EncryptionUsesActiveKey()
-    {
-        // setup
-        byte[] keyValue1 = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
-        byte[] keyValue2 = Convert.FromBase64String("Dat1RwRvuLX3wdKMMP4NwHdBl8tJJsKfp01qikyo8aw=");
-        var secretProvider = Substitute.For<ISecretProvider>();
-        EncryptionKey[] keys =
-        [
-            new EncryptionKey("1", false, "AES", keyValue1),
-            new EncryptionKey("2", true, "AES", keyValue2),
-        ];
-        secretProvider.GetKeys("master").Returns(keys);
-
-        ReadOnlySpan<byte> input = "Hello, World!"u8;
-        // act
-        EncryptionService sut = new(secretProvider);
-        EncryptedValue cipher = sut.Encrypt(input.ToArray());
-        
-        // Verify
-        Assert.Equal("2", cipher.KeyId);
-    }
 }

IdentityShroud.Core.Tests/Services/RealmServiceTests.cs

@@ -3,6 +3,7 @@ using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Security.Keys;
 using IdentityShroud.Core.Services;
 using IdentityShroud.Core.Tests.Fixtures;
+using IdentityShroud.TestUtils.Substitutes;
 using Microsoft.EntityFrameworkCore;
 
 namespace IdentityShroud.Core.Tests.Services;
@@ -39,13 +40,7 @@ public class RealmServiceTests : IClassFixture<DbFixture>
         await using (var db = _dbFixture.CreateDbContext())
         {
             _keyService.CreateKey(Arg.Any<KeyPolicy>())
-                .Returns(new RealmKey() 
+                .Returns(new RealmKey(Guid.NewGuid(), "TST", [21], DateTime.UtcNow));
-                { 
-                    Id = Guid.NewGuid(), 
-                    KeyType = "TST", 
-                    Key = new("kid", [21]),
-                    CreatedAt = DateTime.UtcNow
-                });
             // Act
             RealmService sut = new(db, _keyService);
             var response = await sut.Create(

IdentityShroud.Core.Tests/UnitTest1.cs

@@ -2,6 +2,7 @@
 using System.Text;
 using System.Text.Json;
 using IdentityShroud.Core.DTO;
+using IdentityShroud.Core.Messages;
 using Microsoft.AspNetCore.WebUtilities;
 
 namespace IdentityShroud.Core.Tests;
@@ -66,9 +67,9 @@ public static class JwtReader
         return new JsonWebToken()
         {
             Header = JsonSerializer.Deserialize<JsonWebTokenHeader>(
-                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, 0, firstDot)))!,
+                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, 0, firstDot))),
             Payload = JsonSerializer.Deserialize<JsonWebTokenPayload>(
-                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, firstDot + 1, secondDot - (firstDot + 1))))!,
+                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, firstDot + 1, secondDot - (firstDot + 1)))),
             Signature = WebEncoders.Base64UrlDecode(jwt, secondDot + 1, jwt.Length - (secondDot + 1))
         };
     }

IdentityShroud.Core/Contracts/IClientService.cs

@@ -2,6 +2,18 @@ using IdentityShroud.Core.Model;
 
 namespace IdentityShroud.Core.Contracts;
 
+//public record CreateClientRequest(Guid RealmId, string ClientId, string? Description);
+
+public class ClientCreateRequest
+{
+    public required string ClientId { get; set; }
+    public string? Name { get; set; }
+    public string? Description { get; set; }
+    public string? SignatureAlgorithm { get; set; }
+    public bool? AllowClientCredentialsFlow { get; set; }
+}
+
+
 public interface IClientService
 {
     Task<Result<Client>> Create(
@@ -9,6 +21,6 @@ public interface IClientService
         ClientCreateRequest request, 
         CancellationToken ct = default);
 
-    Task<Client?> GetByClientId(Guid realmId, string clientId, CancellationToken ct = default);
+    Task<Client?> GetByClientId(string clientId, CancellationToken ct = default);
-    Task<Client?> FindById(Guid realmId, int id, CancellationToken ct = default);
+    Task<Client?> FindById(int id, CancellationToken ct = default);
 }

IdentityShroud.Core/Contracts/IEncryptionService.cs

@@ -2,6 +2,6 @@ namespace IdentityShroud.Core.Contracts;
 
 public interface IEncryptionService
 {
-    EncryptedValue Encrypt(ReadOnlyMemory<byte> plain);
+    byte[] Encrypt(byte[] plain);
-    byte[] Decrypt(EncryptedValue input);
+    byte[] Decrypt(ReadOnlyMemory<byte> cipher);
 }

IdentityShroud.Core/Contracts/ISecretProvider.cs

@@ -3,10 +3,4 @@ namespace IdentityShroud.Core.Contracts;
 public interface ISecretProvider
 {
     string GetSecret(string name);
-
-    /// <summary>
-    /// Should return one active key, might return inactive keys.
-    /// </summary>
-    /// <returns></returns>
-    EncryptionKey[] GetKeys(string name);
 }

IdentityShroud.Core/DTO/Client/ClientCreateRequest.cs

@@ -1,10 +0,0 @@
-namespace IdentityShroud.Core.Contracts;
-
-public class ClientCreateRequest
-{
-    public required string ClientId { get; set; }
-    public string? Name { get; set; }
-    public string? Description { get; set; }
-    public string? SignatureAlgorithm { get; set; }
-    public bool? AllowClientCredentialsFlow { get; set; }
-}

IdentityShroud.Core/Helpers/SlugHelper.cs

@@ -1,3 +1,4 @@
+using System;
 using System.Globalization;
 using System.Security.Cryptography;
 using System.Text;

IdentityShroud.Core/IdentityShroud.Core.csproj

@@ -13,7 +13,6 @@
       <PackageReference Include="jose-jwt" Version="5.2.0" />
       <PackageReference Include="LanguageExt.Core" Version="4.4.9" />
       <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
-      <PackageReference Include="Microsoft.AspNetCore.WebUtilities" Version="10.0.2" />
       <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
     </ItemGroup>
     
@@ -21,4 +20,10 @@
         <Using Include="FluentResults" />
     </ItemGroup>
 
+    <ItemGroup>
+      <Reference Include="Microsoft.AspNetCore.WebUtilities">
+        <HintPath>..\..\..\.nuget\packages\microsoft.aspnetcore.webutilities\10.0.2\lib\net10.0\Microsoft.AspNetCore.WebUtilities.dll</HintPath>
+      </Reference>
+    </ItemGroup>
+
 </Project>

IdentityShroud.Core/Model/Client.cs

@@ -1,5 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 using System.ComponentModel.DataAnnotations.Schema;
+using IdentityShroud.Core.Security;
 using Microsoft.EntityFrameworkCore;
 
 namespace IdentityShroud.Core.Model;

IdentityShroud.Core/Model/ClientSecret.cs

@@ -1,6 +1,5 @@
 using System.ComponentModel.DataAnnotations;
 using System.ComponentModel.DataAnnotations.Schema;
-using IdentityShroud.Core.Contracts;
 
 namespace IdentityShroud.Core.Model;
 
@@ -12,5 +11,5 @@ public class ClientSecret
     public Guid ClientId { get; set; }
     public DateTime CreatedAt { get; set; }
     public DateTime? RevokedAt { get; set; }
-    public required EncryptedValue Secret { get; set; }
+    public required byte[] SecretEncrypted { get; set; }
 }

IdentityShroud.Core/Model/Realm.cs

@@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using System.ComponentModel.DataAnnotations.Schema;
 using IdentityShroud.Core.Security;
+using Microsoft.EntityFrameworkCore;
 
 namespace IdentityShroud.Core.Model;
 

IdentityShroud.Core/Model/RealmKey.cs

@@ -1,19 +1,15 @@
 using System.ComponentModel.DataAnnotations.Schema;
-using IdentityShroud.Core.Contracts;
-using Microsoft.EntityFrameworkCore;
 
 namespace IdentityShroud.Core.Model;
 
 
 [Table("realm_key")]
-public record RealmKey
+public record RealmKey(Guid Id, string KeyType, byte[] KeyDataEncrypted, DateTime CreatedAt)
 {
-    public required Guid Id { get; init; }
+    public Guid Id { get; private set; } = Id;
-    public required string KeyType { get; init; }
+    public string KeyType { get; private set; } = KeyType;
-
+    public byte[] KeyDataEncrypted { get; private set; } = KeyDataEncrypted;
-    
+    public DateTime CreatedAt { get; private set; } = CreatedAt;
-    public required EncryptedValue Key { get; init; }
-    public required DateTime CreatedAt { get; init; }
     public DateTime? RevokedAt { get; set; }
 
     /// <summary>

IdentityShroud.Core/Security/AesGcmHelper.cs

@@ -0,0 +1,70 @@
+using System.Security.Cryptography;
+
+namespace IdentityShroud.Core.Security;
+
+public static class AesGcmHelper
+{
+    
+    public static byte[] EncryptAesGcm(byte[] plaintext, byte[] key)
+    {
+        int tagSize = AesGcm.TagByteSizes.MaxSize;
+        using var aes = new AesGcm(key, tagSize);
+        
+        Span<byte> nonce = stackalloc byte[AesGcm.NonceByteSizes.MaxSize];
+        RandomNumberGenerator.Fill(nonce);
+        Span<byte> ciphertext = stackalloc byte[plaintext.Length];
+        Span<byte> tag = stackalloc byte[tagSize];
+
+        aes.Encrypt(nonce, plaintext, ciphertext, tag);
+
+        // Return concatenated nonce|ciphertext|tag
+        var result = new byte[nonce.Length + ciphertext.Length + tag.Length];
+        nonce.CopyTo(result.AsSpan(0, nonce.Length));
+        ciphertext.CopyTo(result.AsSpan(nonce.Length, ciphertext.Length));
+        tag.CopyTo(result.AsSpan(nonce.Length + ciphertext.Length, tag.Length));
+        return result;
+    }
+    
+    // --------------------------------------------------------------------
+    // DecryptAesGcm
+    //   • key      – 32‑byte (256‑bit) secret key (same key used for encryption)
+    //   • payload  – byte[] containing nonce‖ciphertext‖tag
+    //   • returns  – the original plaintext bytes
+    // --------------------------------------------------------------------
+    public static byte[] DecryptAesGcm(ReadOnlyMemory<byte> payload, byte[] key)
+    {
+        if (key == null)     throw new ArgumentNullException(nameof(key));
+        if (key.Length != 32) // 256‑bit key
+            throw new ArgumentException("Key must be 256 bits (32 bytes) for AES‑256‑GCM.", nameof(key));
+
+        // ----------------------------------------------------------------
+        // 1️⃣ Extract the three components.
+        // ----------------------------------------------------------------
+        // AesGcm.NonceByteSizes.MaxSize = 12 bytes (standard GCM nonce length)
+        // AesGcm.TagByteSizes.MaxSize   = 16 bytes (128‑bit authentication tag)
+        int nonceSize = AesGcm.NonceByteSizes.MaxSize; // 12
+        int tagSize   = AesGcm.TagByteSizes.MaxSize;   // 16
+
+        if (payload.Length < nonceSize + tagSize)
+            throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
+
+        ReadOnlySpan<byte> nonce = payload.Span[..nonceSize];
+        ReadOnlySpan<byte> ciphertext = payload.Span.Slice(nonceSize, payload.Length - nonceSize - tagSize);
+        ReadOnlySpan<byte> tag = payload.Span.Slice(payload.Length - tagSize, tagSize);
+
+        byte[] plaintext = new byte[ciphertext.Length];
+
+        using var aes = new AesGcm(key, tagSize);
+        try
+        {
+            aes.Decrypt(nonce, ciphertext, tag, plaintext);
+        }
+        catch (CryptographicException ex)
+        {
+            // Tag verification failed → tampering or wrong key/nonce.
+            throw new InvalidOperationException("Decryption failed – authentication tag mismatch.", ex);
+        }
+
+        return plaintext;
+    }
+}

IdentityShroud.Core/Security/ConfigurationSecretProvider.cs

@@ -14,9 +14,4 @@ public class ConfigurationSecretProvider(IConfiguration configuration) : ISecret
     {
         return secrets.GetValue<string>(name) ?? "";
     }
-
-    public EncryptionKey[] GetKeys(string name)
-    {
-        return secrets.GetSection(name).Get<EncryptionKey[]>() ?? [];
-    }
 }

IdentityShroud.Core/Security/EncryptedValue.cs

@@ -1,6 +0,0 @@
-using Microsoft.EntityFrameworkCore;
-
-namespace IdentityShroud.Core.Contracts;
-
-[Owned]
-public record EncryptedValue(string KeyId, byte[] Value);

IdentityShroud.Core/Security/EncryptionKey.cs

@@ -1,4 +0,0 @@
-namespace IdentityShroud.Core.Contracts;
-
-// Contains an encryption key and associated relevant data
-public record EncryptionKey(string Id, bool Active, string Algorithm, byte[] Key);

IdentityShroud.Core/Security/JsonWebAlgorithm.cs

@@ -1,3 +1,5 @@
+using System.Security.Cryptography;
+
 namespace IdentityShroud.Core.Security;
 
 public static class JsonWebAlgorithm

IdentityShroud.Core/Security/Keys/IKeyProvider.cs

@@ -1,4 +1,5 @@
 using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.Model;
 
 namespace IdentityShroud.Core.Security.Keys;
 

IdentityShroud.Core/Security/Keys/Rsa/RsaProvider.cs

@@ -1,6 +1,8 @@
 using System.Buffers.Text;
 using System.Security.Cryptography;
+using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.Model;
 
 namespace IdentityShroud.Core.Security.Keys.Rsa;
 

IdentityShroud.Core/Security/RsaHelper.cs

@@ -0,0 +1,16 @@
+using System.Security.Cryptography;
+
+namespace IdentityShroud.Core.Security;
+
+public static class RsaHelper
+{
+    /// <summary>
+    /// Load RSA private key from PKCS#8 format
+    /// </summary>
+    public static RSA LoadFromPkcs8(byte[] pkcs8Key)
+    {
+        var rsa = RSA.Create();
+        rsa.ImportPkcs8PrivateKey(pkcs8Key, out _);
+        return rsa;
+    }
+}

IdentityShroud.Core/Services/ClientService.cs

@@ -34,20 +34,14 @@ public class ClientService(
         return client;
     }
 
-    public async Task<Client?> GetByClientId(
+    public async Task<Client?> GetByClientId(string clientId, CancellationToken ct = default)
-        Guid realmId,
-        string clientId, 
-        CancellationToken ct = default)
     {
-        return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId && c.RealmId == realmId, ct);
+        return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId, ct);
     }
 
-    public async Task<Client?> FindById(
+    public async Task<Client?> FindById(int id, CancellationToken ct = default)
-        Guid realmId,
-        int id, 
-        CancellationToken ct = default)
     {
-        return await db.Clients.FirstOrDefaultAsync(c => c.Id == id && c.RealmId == realmId, ct);
+        return await db.Clients.FirstOrDefaultAsync(c => c.Id == id, ct);
     }
 
     private ClientSecret CreateSecret()
@@ -57,7 +51,7 @@ public class ClientService(
         return new ClientSecret()
         {
             CreatedAt = clock.UtcNow(),
-            Secret = cryptor.Encrypt(secret),
+            SecretEncrypted = cryptor.Encrypt(secret),
         };
 
     }

IdentityShroud.Core/Services/EncryptionService.cs

@@ -1,5 +1,5 @@
-using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
 
 namespace IdentityShroud.Core.Services;
 
@@ -8,85 +8,20 @@ namespace IdentityShroud.Core.Services;
 /// </summary>
 public class EncryptionService : IEncryptionService
 {
-    private record struct AlgVersion(int NonceSize, int TagSize);
+    private readonly byte[] encryptionKey;
-
-    private AlgVersion[] _versions = 
-    [
-        new(0, 0), // version 0 does not realy exist
-        new (12, 16), // version 1
-    ];
-    
-    // Note this array is expected to have one item in it most of the during key rotation it will have two
-    // until it is ensured the old key can safely be removed. More then two will work but is not really expected.
-    private readonly EncryptionKey[] _encryptionKeys;
-
-    private EncryptionKey ActiveKey => _encryptionKeys.Single(k => k.Active);
-    private EncryptionKey GetKey(string keyId) => _encryptionKeys.Single(k => k.Id == keyId);
 
     public EncryptionService(ISecretProvider secretProvider)
     {
-        _encryptionKeys = secretProvider.GetKeys("master");
+        encryptionKey = Convert.FromBase64String(secretProvider.GetSecret("Master"));
-        // if (_encryptionKey.Length != 32) // 256‑bit key
-        //     throw new Exception("Key must be 256 bits (32 bytes) for AES‑256‑GCM.");
     }
 
-    public EncryptedValue Encrypt(ReadOnlyMemory<byte> plaintext)
+    public byte[] Encrypt(byte[] plain)
     {
-        const int versionNumber = 1; 
+        return AesGcmHelper.EncryptAesGcm(plain, encryptionKey);
-        AlgVersion versionParams = _versions[versionNumber];
-
-        int resultSize = 1 + versionParams.NonceSize + versionParams.TagSize + plaintext.Length;
-        // allocate buffer for complete response 
-        var result = new byte[resultSize];
-        
-        result[0] = (byte)versionNumber;
-
-        // make the spans that point to the parts of the result where their data is located
-        var nonce = result.AsSpan(1, versionParams.NonceSize); 
-        var tag = result.AsSpan(1 + versionParams.NonceSize, versionParams.TagSize);
-        var cipher = result.AsSpan(1 + versionParams.NonceSize + versionParams.TagSize);
-
-        // use the spans to place the data directly in its place
-        RandomNumberGenerator.Fill(nonce);
-        var encryptionKey = ActiveKey;
-        using var aes = new AesGcm(encryptionKey.Key, versionParams.TagSize);
-        aes.Encrypt(nonce, plaintext.Span, cipher, tag);
-
-        return new (encryptionKey.Id, result);
     }
 
-    public byte[] Decrypt(EncryptedValue input)
+    public byte[] Decrypt(ReadOnlyMemory<byte> cipher)
     {
-        var encryptionKey = GetKey(input.KeyId);
+        return AesGcmHelper.DecryptAesGcm(cipher, encryptionKey);
-        
-        var payload = input.Value.AsSpan();
-        int versionNumber = (int)payload[0];
-        if (versionNumber != 1)
-            throw new ArgumentException("Invalid payload");
-        
-        AlgVersion versionParams = _versions[versionNumber];
-        
-        
-        if (payload.Length < 1 + versionParams.NonceSize + versionParams.TagSize)
-            throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
-
-        ReadOnlySpan<byte> nonce = payload.Slice(1, versionParams.NonceSize);
-        ReadOnlySpan<byte> tag = payload.Slice(1 + versionParams.NonceSize, versionParams.TagSize);
-        ReadOnlySpan<byte> cipher = payload.Slice(1 + versionParams.NonceSize + versionParams.TagSize);
-
-        byte[] plaintext = new byte[cipher.Length];
-
-        using var aes = new AesGcm(encryptionKey.Key, versionParams.TagSize);
-        try
-        {
-            aes.Decrypt(nonce, cipher, tag, plaintext);
-        }
-        catch (CryptographicException ex)
-        {
-            // Tag verification failed → tampering or wrong key/nonce.
-            throw new InvalidOperationException("Decryption failed – authentication tag mismatch.", ex);
-        }
-
-        return plaintext;
     }
 }

IdentityShroud.Core/Services/KeyService.cs

@@ -1,3 +1,4 @@
+using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Messages;
 using IdentityShroud.Core.Model;
@@ -29,18 +30,23 @@ public class KeyService(
         
         IKeyProvider provider = keyProviderFactory.CreateProvider(realmKey.KeyType);
         provider.SetJwkParameters(
-            cryptor.Decrypt(realmKey.Key),
+            cryptor.Decrypt(realmKey.KeyDataEncrypted),
             jwk);
 
         return jwk;
     }
 
     private RealmKey CreateKey(string keyType, byte[] plainKey) =>
-        new RealmKey()
+        new RealmKey(
-            {
+            Guid.NewGuid(),
-                Id = Guid.NewGuid(),
+            keyType,
-                KeyType = keyType,
+            cryptor.Encrypt(plainKey),
-                Key = cryptor.Encrypt(plainKey),
+            clock.UtcNow());
-                CreatedAt = clock.UtcNow(),
+
-            };
+    // public byte[] GetPrivateKey(IEncryptionService encryptionService)
+    // {
+    //     if (_privateKeyDecrypted.Length == 0 && PrivateKeyEncrypted.Length > 0)
+    //         _privateKeyDecrypted = encryptionService.Decrypt(PrivateKeyEncrypted);
+    //     return _privateKeyDecrypted;
+    // }
 }

IdentityShroud.Core/Services/RealmService.cs

@@ -1,3 +1,4 @@
+using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Helpers;
 using IdentityShroud.Core.Messages.Realm;

IdentityShroud.TestUtils/Asserts/JsonObjectAssert.cs

@@ -1,5 +1,6 @@
 using System.Text.Json.Nodes;
 using System.Text.RegularExpressions;
+using Xunit;
 
 namespace IdentityShroud.TestUtils.Asserts;
 

IdentityShroud.TestUtils/Asserts/ResultAssert.cs

@@ -1,4 +1,5 @@
 using FluentResults;
+using Xunit;
 
 namespace IdentityShroud.Core.Tests;
 

IdentityShroud.TestUtils/IdentityShroud.TestUtils.csproj

@@ -10,7 +10,6 @@
     <ItemGroup>
       <PackageReference Include="FluentResults" Version="4.0.0" />
       <PackageReference Include="xunit.v3.assert" Version="3.2.2" />
-      <PackageReference Include="NSubstitute" Version="5.3.0" />
     </ItemGroup>
 
     <ItemGroup>
@@ -22,4 +21,10 @@
         <Using Include="NSubstitute"/>
     </ItemGroup>
 
+    <ItemGroup>
+      <Reference Include="NSubstitute">
+        <HintPath>..\..\..\.nuget\packages\nsubstitute\5.3.0\lib\net6.0\NSubstitute.dll</HintPath>
+      </Reference>
+    </ItemGroup>
+
 </Project>

IdentityShroud.TestUtils/Substitutes/EncryptionServiceSubstitute.cs

@@ -8,11 +8,11 @@ public static class EncryptionServiceSubstitute
     {
         var encryptionService = Substitute.For<IEncryptionService>();
         encryptionService
-            .Encrypt(Arg.Any<ReadOnlyMemory<byte>>())
+            .Encrypt(Arg.Any<byte[]>())
-            .Returns(x => new EncryptedValue("kid", x.ArgAt<ReadOnlyMemory<byte>>(0).ToArray()));
+            .Returns(x => x.ArgAt<byte[]>(0));
         encryptionService
-            .Decrypt(Arg.Any<EncryptedValue>())
+            .Decrypt(Arg.Any<ReadOnlyMemory<byte>>())
-            .Returns(x => x.ArgAt<EncryptedValue>(0).Value);
+            .Returns(x => x.ArgAt<ReadOnlyMemory<byte>>(0).ToArray());
         return encryptionService;
     }
 }

IdentityShroud.sln.DotSettings.user

@@ -14,18 +14,20 @@
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AOkOfT_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fe2a19de442f561af862af2dcad0852b7e62707a5cf194d266d1656f92bbb6d2_003FOkOfT_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003APostgreSqlBuilder_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fcdd0beaf7beaf8366c0862f34fe40da30911084d957625ab31577851ee8cae7_003FPostgreSqlBuilder_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003APostgreSqlContainer_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fc82112acf224de1d157da0309437b227be6c1ef877865c23872f49eaf9d73c_003FPostgreSqlContainer_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AReadOnlyMemory_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fc19b2538fdfabf70658aed8979dd83e9ca11e27f5b3df68950e8ecb4d879e_003FReadOnlyMemory_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AResultsOfT_002EGenerated_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fff2e2c5ca93c7786ef8425ca6caf751702328924211687ce72e74fd1265e8_003FResultsOfT_002EGenerated_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ARouteGroupBuilder_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fd42b8f8feda3bfb3dc17f133a52ce45931ed5066c46a4d834c8ed46e0a6_003FRouteGroupBuilder_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AThrowHelper_002ESerialization_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F8433b9271c0f176fb5ceb7b1c3d62e1318fe8e62b4e5d7e882952dc543fec_003FThrowHelper_002ESerialization_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ATypedResults_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fcea118513a410f660e578fe32bed95cf86457dd135e4b4632ca91eb4f7b_003FTypedResults_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AWebEncoders_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fce6b69dd397f614758bc5821136ec8af3fa22563dd657769e231f51be1fbbc_003FWebEncoders_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
-	
+	<s:String x:Key="/Default/dotCover/Editor/HighlightingSourceSnapshotLocation/@EntryValue">/home/eelke/.cache/JetBrains/Rider2025.3/resharper-host/temp/Rider/vAny/CoverageData/_IdentityShroud.-1277985570/Snapshot/snapshot.utdcvr</s:String>
 	<s:String x:Key="/Default/Environment/Hierarchy/Build/BuildTool/DotNetCliExePath/@EntryValue">/home/eelke/.dotnet/dotnet</s:String>
 	<s:String x:Key="/Default/Environment/Hierarchy/Build/BuildTool/CustomBuildToolPath/@EntryValue">/home/eelke/.dotnet/sdk/10.0.102/MSBuild.dll</s:String>
-	<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=b20a3316_002Db435_002D49e2_002Dbeaf_002De4cd62c44994/@EntryIndexedValue">&lt;SessionState ContinuousTestingMode="0" IsActive="True" Name="All tests from Solution" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session"&gt;
+	<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=4bf578c0_002Dc8f9_002D46e4_002D9bdc_002D38da0a3f253a/@EntryIndexedValue">&lt;SessionState ContinuousTestingMode="0" Name="All tests from Solution" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session"&gt;
   &lt;Solution /&gt;
 &lt;/SessionState&gt;</s:String>
+	<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=7ce84f90_002D6ae2_002D4e9e_002D860e_002Deb90f45871f3/@EntryIndexedValue">&lt;SessionState ContinuousTestingMode="0" IsActive="True" Name="Junie Session" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session"&gt;
+  &lt;ProjectFile&gt;DC887623-8680-4D3B-B23A-D54F7DA91891/d:Services/f:ClientServiceTests.cs&lt;/ProjectFile&gt;
+&lt;/SessionState&gt;</s:String>
 	
 	
 	
@@ -34,7 +36,4 @@
 	
 	
 	
-	
-	
-	
 	</wpf:ResourceDictionary>

README.md

@@ -1,15 +0,0 @@
-# IdentityShroud
-
-IdentityShroud is a .NET project for identity management and protection.
-
-## Build and Test
-
-```bash
-dotnet restore
-dotnet build
-dotnet test
-```
-
-## Coverage
-
-Coverage reports are generated automatically in CI and displayed in pull request comments.